diff options
| author | Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> | 2016-12-12 15:01:24 +0100 |
|---|---|---|
| committer | Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> | 2016-12-12 15:01:24 +0100 |
| commit | e15fd68c5dc4089690b5d3086776c3851e504bb7 (patch) | |
| tree | 2c75274dee02b07463c9164efdf6888e1a9c75dc /services/audioflinger/Effects.cpp | |
| parent | 185e2110a53feb7720d91b6f8366ad27402f21cc (diff) | |
| parent | 26c5fa31d17a638bf314de6e12e86bb8a86db44b (diff) | |
| download | frameworks_av-e15fd68c5dc4089690b5d3086776c3851e504bb7.zip frameworks_av-e15fd68c5dc4089690b5d3086776c3851e504bb7.tar.gz frameworks_av-e15fd68c5dc4089690b5d3086776c3851e504bb7.tar.bz2 | |
Merge branch 'cm-13.0' of https://github.com/CyanogenMod/android_frameworks_av into replicant-6.0
Diffstat (limited to 'services/audioflinger/Effects.cpp')
| -rw-r--r-- | services/audioflinger/Effects.cpp | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/services/audioflinger/Effects.cpp b/services/audioflinger/Effects.cpp index 879b6c9..5505d2e 100644 --- a/services/audioflinger/Effects.cpp +++ b/services/audioflinger/Effects.cpp @@ -543,6 +543,13 @@ status_t AudioFlinger::EffectModule::remove_effect_from_hal_l() return NO_ERROR; } +// round up delta valid if value and divisor are positive. +template <typename T> +static T roundUpDelta(const T &value, const T &divisor) { + T remainder = value % divisor; + return remainder == 0 ? 0 : divisor - remainder; +} + status_t AudioFlinger::EffectModule::command(uint32_t cmdCode, uint32_t cmdSize, void *pCmdData, @@ -558,6 +565,28 @@ status_t AudioFlinger::EffectModule::command(uint32_t cmdCode, if (mStatus != NO_ERROR) { return mStatus; } + if (cmdCode == EFFECT_CMD_GET_PARAM && + (*replySize < sizeof(effect_param_t) || + ((effect_param_t *)pCmdData)->psize > *replySize - sizeof(effect_param_t))) { + android_errorWriteLog(0x534e4554, "29251553"); + return -EINVAL; + } + if ((cmdCode == EFFECT_CMD_SET_PARAM + || cmdCode == EFFECT_CMD_SET_PARAM_DEFERRED) && // DEFERRED not generally used + (sizeof(effect_param_t) > cmdSize + || ((effect_param_t *)pCmdData)->psize > cmdSize + - sizeof(effect_param_t) + || ((effect_param_t *)pCmdData)->vsize > cmdSize + - sizeof(effect_param_t) + - ((effect_param_t *)pCmdData)->psize + || roundUpDelta(((effect_param_t *)pCmdData)->psize, (uint32_t)sizeof(int)) > + cmdSize + - sizeof(effect_param_t) + - ((effect_param_t *)pCmdData)->psize + - ((effect_param_t *)pCmdData)->vsize)) { + android_errorWriteLog(0x534e4554, "30204301"); + return -EINVAL; + } status_t status = (*mEffectInterface)->command(mEffectInterface, cmdCode, cmdSize, |